Sunday, January 27, 2019

I use AWS for work, and use terraform for creating the resources. My team uses a common directory structure for our terraform files, and it seems to work pretty well for separating resources between project groups, logical environments, and regions. However, creating new project directory structures can be a pain, so I decided to create a yeoman generator to automate the process. Please check out the generator I made, and let me know what you think!

Saturday, January 20, 2018

I bought some Philips Hue Lights, and have really enjoyed them - but I enjoy them even more now that I have the IoT button integrated with the lights. Here is a video showing my AWS IoT button interacting with my Philips Hue Go lamp.

AWS IoT Button:I had seen the AWS IoT button on Amazon and, although I didn't have any ideas of what I would do with the button, I wanted to work on a project which would use one of the buttons. I found this fun project that also uses an AWS IoT button, and the Philips Hue API with the Go lamp. I had bought a Philips Hue Go light, as well as a number of other Philips Hue lights, so I decided to recreate the project from the youtube video above but using an AWS lambda instead of using a raspberry pi.

Something that was pointed out to me (embarrassingly) is that this method is not secure. Sending unencrypted information to the Hue bridge, which includes the auth, would allow an attacker to send their own API calls to the bridge. One of the API calls could have a security hole that could be used by an attacker / curious person.

A couple of ideas I've had for using the Philips Hue lights are flash lights with certain colors to indicate either a rise above, or drop below, stock or crypto currency price points, and flash lights when people are close to home (integrate with IFTTT).However, using the IoT button to control the lights looked fun and gave me an excuse to learn a little bit about AWS Lambdas. It's worth mentioning that Philips makes a switch that can be easily programmed to control your Philips Hue lights.

Set up IoT Button:I used the "Getting Started" guide to set up the IoT button. It walks you through registering your device, creating and activating a device certificate, creating and attaching an IoT policy to the device certificate, attach the certificate to a "Thing" (the button), and configuring your IoT button to know how to connect to your WiFi.

One of the last steps in the "Getting Started" guide is configuring and testing rules. The example has the IoT button pushes send an SNS message that gets sent as a text message to your phone. I decided to have the SNS message trigger a lambda, and use the lambda to send the REST calls to my Philips Hue bridge.AWS Lambda:Here is the AWS Lambda code that I used:

I have my router configured to use Dynamic DNS, and then I have a port forwarding rule to forward to the Philips Hue bridge. The lambda figures out if the button click was a single click, a double click, or a long click. The double clicks will turn the light on and off, the single click will increment the hue to set the light to, and a long click will set the light to use the color loop effect.

I hope you find this post useful! Please leave links to any projects you feel like sharing using AWS IoT buttons and/or Philips Hue lights in the comment section below.

Sunday, August 6, 2017

Here's a quick walk through for creating an AWS lambda using Java. I happen to use IntelliJ with maven, but you can use whatever IDE and package management you prefer to use. You can find a similar walk-through in the online AWS documentation or in the AWS Lambda In Action book.

1. Create an IAM role for the Lambda to use:

Click the "Create new role" button.

In the "Select role type" section, Click the "Select" button for "AWS Lambda" from the "AWS Service Role" section.

Enter the policy name of "AmazonS3FullAccess", click the check box, and click the "Next step" button.

Enter a name in the "Role name" text box (for this example, use "hello-lambda-role"), and enter a fitting description in the "Role description" text box. Click the "Create role" button.

2. Create an S3 bucket.

3. Create a Java project for your AWS Lambda code:

Using IntelliJ, create a maven project using maven-archetype-quickstart.

Wednesday, July 26, 2017

AWS Identity and Access Management (IAM) Users and Multi-Factor Authentication (MFA)Amazon Web Services are easy and incredibly fun to use. Need to spin up a web server and Redis cluster? No problem! But how do you protect the AWS account from unauthorized use? Well, IAM users and MFA of course!

The AWS Certified Solutions Architect exam guide covers IAM users and groups, as well as enabling MFA for your IAM user accounts, in Chapter 6.The exercises at the end of the chapter have you create an IAM group, an IAM user, and then enable MFA for your newly created IAM user (in exercise 6.6). I've really enjoyed going through the exam guide specifically due to the chapter review quizzes (answers with explanations are in the back of the book) and the exercises. Here are the steps that I used for creating an IAM group and user (using exercises 6.1 and 6.3 as the motivator, and following along in the very easy to use AWS console interface).Creating an IAM Group:

Go to the IAM service in the AWS console.

Click the "Groups" console item.

Click the "Create New Group" button to start the group creation wizard.

Enter your group name in the "Group Name' text box and then click "Next Step". I chose "Administrators" as the AWS exam guide suggested.

In the Attach Policy step, the exam book tells you to click the "IAMFullAccess" policy check box. The "IAMFullAccess" policy gives the group members full access to IAM via the AWS Management Console. The AWS online documentation for creating your first user and group has you select the "AdministratorAccess" policy - which will give you full access to AWS services and resources. I chose the "AdministratorAccess" policy.

The last step is to review your proposed settings. Click the "Create Group" button. You'll be returned to the "Groups" list view, and you'll see your new group.

The "Require password reset" check box is checked by default. If you are creating a user for someone else to use, then it is a good idea to keep this option checked.

Click the "Next: Permissions" button.

On the "Permissions" step of the wizard, click the "Add user to group" image if it is not already highlighted (this is the default selection).

Check the checkbox for the group you created above.

Click the "Next: Review" button.

Click the "Create user" button. You'll be taken to "Success" page where you can see the user listed. It will contain a signin link that includes your AWS user ID as part of the url. ie, https://123456789012.signin.aws.amazon.com/console. You'll also be able to download the user credentials via a download button. The success page mentions that you can create new credentials at any time. The credentials file lists the user name and the signin link.

Enable MFA for an IAM user:

Go to the IAM service in the AWS console.

Click the "Users" console item.

Click on the user name for the user you would like to enable MFA.

Click on the "Security credentials" tab.

Click on the edit icon for "Assigned MFA device".

Choose "A virtual MFA device" in the "Manage MFA Device" pop up dialog, and then click the "Next Step" button.

You're instructed to install an AWS MFA-compatible application on the device of your choice - PC, smartphone, etc. There is a link in the dialog that will take you to a list of MFA-compatible applications. Install one of the compatible applications. I used the smart phone option, and installed the Google Authenticator application.

Click the "Next Step" button.

A QR code is displayed in the AWS "Manage MFA Device" pop up dialog, and you are instructed to use your smart phone to scan the code.

If you're using the Google Authenticator, then a 6 digit code is displayed on your device, and is refreshed every 30 seconds.

You're instructed to enter two sets of the 6 digit codes, and then told to click "Activate Virtual MFA"

At this point the user account is configured for MFA. The next time that user logs in they will be prompted to enter a 6 digit MFA code. Your MFA enabled user account is now a lot more secure than it was. I highly recommend the exam guide even though it is starting to get a bit dated. The book gives you a condensed and comprehensive look - and the exercises really help drive home the material. I found that some of the exercises were a bit sparse in information, and no longer match what the AWS console shows you, but it is close enough that you can figure things out without getting lost. The experience was very fun, and the end result is that I now have a much more secure admin account!

The thing that I’ve enjoyed the most so far are the notes on when to use certain methods. In the chapter on streams, chapter 3, there is one particular method that really stuck out for me - the filter method.

The filter method takes a predicate, and returns a stream of all the elements that match the predicate.

The book points out the following:

“Any time you’re looping over some data and checking each element, you might want to think about using the new filter method on Stream.”

Here is an example - the following code will print out even numbers:

List<Integer> numbers = Arrays.asList(1,2,3,4,5,6,7,8);

for (int num : numbers) {

if (num % 2 == 0) {

System.out.println(num);

}

}

The code above is pretty straight forward, but it could be written like this instead:

This might not look like a huge advantage, because there isn’t a lot different between the two. The amount of code is basically the same as well. However, the benefit of the lambda version is that it can be chained together with other Stream methods.

For example, imagine that you have some data containing user IDs, and some user IDs have a special prefix to indicate a special user type. You might want to filter out the special users, and then return a list of users without the prefix and with the name in upper case letters.

Monday, March 7, 2016

I've installed the aws command line on my Mac. It's super handy. However, the aws s3 command creates $folder$ files for every "directory" when a recursive copy is performed. It's super annoying. For example, you could have a "directory" in S3 named "myfiles". When you download the objects with "myfiles" in the path you will end up with a file named "myfiles_$folder$".Running aws --version returns this info: aws-cli/1.10.6 Python/2.7.10 Darwin/14.5.0 botocore/1.3.28I haven't found anything that explains how I can prevent those files from being created, so I've been doing manual cleanup afterwards. This is the command I run: > rm $(find . "*$folder$")